Online CCFA-200 Exam Dumps Help You Build Confidence

Page 1 of 3

1. You have determined that you have numerous Machine Learning detections in your environment that are false positives. They are caused by a single binary that was custom written by a vendor for you and that binary is running on many endpoints.

What is the best way to prevent these in the future?

Contact support and request that they modify the Machine Learning settings to no longer include this detection

Using IOC Management, add the hash of the binary in question and set the action to "Allow"

Using IOC Management, add the hash of the binary in question and set the action to "Block, hide detection"

Using IOC Management, add the hash of the binary in question and set the action to "No Action"

2. What type of information is found in the Linux Sensors Dashboard?

Hosts by Kernel Version, Shells spawned by Root, Wget/Curl Usage

Hidden File execution, Execution of file from the trash, Versions Running with Computer Names

Versions running, Directory Made Invisible to Spotlight, Logging/Auditing Referenced, Viewed, or Modified

Private Information Accessed, Archiving Tools C Exfil, Files Made Executable

3. Which of the following Machine Learning (ML) sliders will only detect or prevent high confidence malicious items?

Aggressive

Cautious

Minimal

Moderate

4. What is the name for the unique host identifier in Falcon assigned to each sensor during sensor installation?

Endpoint ID (EID)

Agent ID (AID)

Security ID (SID)

Computer ID (CID)

5. Which of the following applies to Custom Blocking Prevention Policy settings?

Hashes must be entered on the Prevention Hashes page before they can be blocked via this policy

Blocklisting applies to hashes, IP addresses, and domains

Executions blocked via hash blocklist may have partially executed prior to hash calculation process remediation may be necessary

You can only blocklist hashes via the API

6. Where in the Falcon console can information about supported operating system versions be found?

Configuration module

Intelligence module

Support module

Discover module

7. What command should be run to verify if a Windows sensor is running?

regedit myfile.reg

sc query csagent

netstat -f

ps -ef | grep falcon

8. What impact does disabling detections on a host have on an API?

Endpoints with detections disabled will not alert on anything until detections are enabled again

Endpoints cannot have their detections disabled individually

DetectionSummaryEvent stops sending to the Streaming API for that host

Endpoints with detections disabled will not alert on anything for 24 hours (by default) or longer if that setting is changed

9. How can a Falcon Administrator configure a pop-up message to be displayed on a host when the Falcon sensor blocks, kills or quarantines an activity?

By ensuring each user has set the "pop-ups allowed" in their User Profile configuration page

By enabling "Upload quarantined files" in the General Settings configuration page

By turning on the "Notify End Users" setting at the top of the Prevention policy details configuration page

By selecting "Enable pop-up messages" from the User configuration page

10. Once an exclusion is saved, what can be edited in the future?

All parts of the exclusion can be changed

Only the selected groups and hosts to which the exclusion is applied can be changed

Only the options to "Detect/Block" and/or "File Extraction" can be changed

The exclusion pattern cannot be changed

Page 2 of 3

11. How do you disable all detections for a host?

Create an exclusion rule and apply it to the machine or group of machines

Contact support and provide them with the Agent ID (AID) for the machine and they will put it on the Disabled Hosts list in your Customer ID (CID)

You cannot disable all detections on individual hosts as it would put them at risk

In Host Management, select the host and then choose the option to Disable Detections

12. What is the maximum number of patterns that can be added when creating a new exclusion?

13. On which page of the Falcon console would you create sensor groups?

User management

Sensor update policies

Host management

Host groups

14. Why is the ability to disable detections helpful?

It gives users the ability to set up hosts to test detections and later remove them from the console

It gives users the ability to uninstall the sensor from a host

It gives users the ability to allowlist a false positive detection

It gives users the ability to remove all data from hosts that have been uninstalled

15. In order to exercise manual control over the sensor upgrade process, as well as prevent unauthorized users from uninstalling or upgrading the sensor, which settings in the Sensor Update Policy would meet this criteria?

Sensor version set to N-1 and Bulk maintenance mode is turned on

Sensor version fixed and Uninstall and maintenance protection turned on

Sensor version updates off and Uninstall and maintenance protection turned off

Sensor version set to N-2 and Bulk maintenance mode is turned on

16. When the Notify End Users policy setting is turned on, which of the following is TRUE?

End users will not be notified as we would not want to notify a malicious actor of a detection. This setting does not exist

End users will be immediately notified via a pop-up that their machine is in-network isolation

End-users receive a pop-up notification when a prevention action occurs

End users will receive a pop-up allowing them to confirm or refuse a pending quarantine

17. You have created a Sensor Update Policy for the Mac platform.

Which other operating system(s) will this policy manage?

*nix

Windows

Both Windows and *nix

Only Mac

18. Which role will allow someone to manage quarantine files?

Falcon Security Lead

Detections Exceptions Manager

Falcon Analyst C Read Only

Endpoint Manager

19. Which role is required to manage groups and policies in Falcon?

Falcon Host Analyst

Falcon Host Administrator

Prevention Hashes Manager

Falcon Host Security Lead

20. While a host is Network contained, you need to allow the host to access internal network resources on specific IP addresses to perform patching and remediation.

Which configuration would you choose?

Configure a Real Time Response policy allowlist with the specific IP addresses

Configure a Containment Policy with the specific IP addresses

Configure a Containment Policy with the entire internal IP CIDR block

Configure the Host firewall to allowlist the specific IP addresses

Page 3 of 3

21. How many "Auto" sensor version update options are available for Windows Sensor Update Policies?

22. You are evaluating the most appropriate Prevention Policy Machine Learning slider settings for your environment. In your testing phase, you configure the Detection slider as Aggressive.

After running the sensor with this configuration for 1 week of testing, which Audit report should you review to determine the best Machine Learning slider settings for your organization?

Prevention Policy Audit Trail

Prevention Policy Debug

Prevention Hashes Ignored

Machine-Learning Prevention Monitoring

23. Which of the following is an effective Custom IOA rule pattern to kill any process attempting to access www.badguydomain.com?

.*badguydomain.com.*

DeviceHarddiskVolume2*.exe -SingleArgument www.badguydomain.com /kill

badguydomain.com.*

Custom IOA rules cannot be created for domains

24. The alignment of a particular prevention policy to one or more host groups can be completed in which of the following locations within Falcon?

Policy alignment is configured in the "Host Management" section in the Hosts application

Policy alignment is configured only once during the initial creation of the policy in the "Create New Policy" pop-up window

Policy alignment is configured in the General Settings section under the Configuration menu

Policy alignment is configured in each policy in the "Assigned Host Groups" tab

25. Why is it critical to have separate sensor update policies for Windows/Mac/*nix?

There may be special considerations for each OS

To assist with testing and tracking sensor rollouts

The network protocols are different for each host OS

It is an auditing requirement

26. What are custom alerts based on?

Custom workflows

Custom event based triggers

Predefined alert templates

User defined Splunk queries

27. You want the Falcon Cloud to push out sensor version changes but you also want to manually control when the sensor version is upgraded or downgraded.

In the Sensor Update policy, which is the best Sensor version option to achieve these requirements?

Specific sensor version number

Auto - TEST-QA

Sensor version updates off

Auto - N-1

28. Which role allows a user to connect to hosts using Real-Time Response?

Endpoint Manager

Falcon Administrator

Real Time Responder C Active Responder

Prevention Hashes Manager

29. Which of the following can a Falcon Administrator edit in an existing user's profile?

First or Last name

Phone number

Email address

Working groups

[email protected]

Mon - Sat 9:00am - 6:00pm

Online CCFA-200 Exam Dumps Help You Build Confidence

Related

Posts

About Us

EMAIL

Services

Opening Hours